Technado ACI Learning

Live from HackSpaceCon, it's Technado! This week, malware takes center stage: beware of bogus NordVPN downloads and YouTube videos promising Fortnite cheats. If you use a D-Link NAS device that's reached its EoL, you might want to check for a backdoor account. In the return of the beloved Tinfoil Hat segment, Five Eyes data has allegedly been stolen & exposed during a breach. Keeping with our space theme, NASA has finally cracked the case of Voyager 1 sending gibberish data. We wrap up our Rapid Fire articles with a critical flaw affecting one million WordPress websites, an update on the Ivanti debacle (four more vulns!), and a special "Crow" segment featuring million-dollar rewards for zero-days. After a quick break, we dive deep into a new malware variant called Latrodectus - and it's just as dangerous as the venomous spiders it's named after. (Stick around to see Dan and Soph mewing for the camera.) Want to read further? Take a look at the stories we covered this week: https://www.malwarebytes.com/blog/thr... https://www.bleepingcomputer.com/news... https://gbhackers.com/hackers-deliver... https://www.scmagazine.com/brief/alle...

It's a packed week on Technado! First up in Rapid Fire, we talk about the Linux backdoor that's got everyone fired up - but all is not as it seems. Then, our Pork Chop Sandwiches segment stars Hot Topic in their latest credential stuffing dilemma (and a brief cybergoth appearance thanks to Christian). Activision is looking into some password-stealing malware affecting some of its players (read: cheaters).
We wrap up Rapid Fire by discussing the recent MFA bombing attacks plaguing iPhone users, along with a special Deja News double feature: we have updates on the PyPI and AT&T situations!
After a quick break, it's time for our deep dive! Daniel gets into the details of the new and improved (?) Android malware Vultur. Finally, we finish up this week's episode with a mini-dive into Imperva Secure Sphere's WAF bypass.
Want more details? Check out this week's references:
https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.htmlhttps://www.bleepingcomputer.com/news/security/retail-chain-hot-topic-hit-by-new-credential-stuffing-attacks/https://techcrunch.com/2024/03/28/activision-says-its-investigating-password-stealing-malware-targeting-game-players/https://www.techopedia.com/news/call-of-duty-hack-alert-malware-drains-bitcoin-from-gamers-walletshttps://www.bleepingcomputer.com/news/security/owasp-discloses-data-breach-caused-by-wiki-misconfiguration/https://www.darkreading.com/cloud-security/mfa-bombing-attacks-target-apple-iphone-usershttps://securityboulevard.com/2024/03/pypi-suspended-500-fakes-richixbw/https://techcrunch.com/2024/03/30/att-reset-account-passcodes-customer-data/https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan/https://www.hoyahaxa.com/2024/03/imperva-waf-bypass-cve-2023-50969.html

This week on Technado, Daniel and Sophie kick off Rapid Fire with some highlights from Pwn2Own Vancouver. Then, we jump into a novel cred-harvesting phishing campaign, CozyBear's latest attack on German politicos, and a special Pork Chop Sandwiches segment: millions of hotel door locks are impacted by a 36-year-old flaw. We wrap up the Rapid Fire with the Nemesis Market takedown, yet another update on CISA's Ivanti troubles, and the "unpatchable" exploit affecting Apple M-series chips.
In another Python-focused Deep Dive, Daniel takes us through a supply chain cyberattack that's impacting thousands of GitHub users and developers. To close the segment, we take a quick look at a new Loop DoS attack that targets app-layer protocols.
Want to keep reading? Check out the articles the Technado crew covered this week!
Rapid Fire:
Pwn2Own https://www.zerodayinitiative.com/blog/2024/3/21/pwn2own-vancouver-2024-day-two-resultsConversation Overflow Attack https://www.darkreading.com/cloud-security/conversation-overflow-cyberattacks-bypass-ai-securityCozyBear Phishing for Dinner https://www.theregister.com/2024/03/23/russia_cozy_bear_german_politicians_phishing/Unsaflok Flaw https://www.bleepingcomputer.com/news/security/unsaflok-flaw-can-let-hackers-unlock-millions-of-hotel-doors/Nemesis Takedown https://www.bitdefender.com/blog/hotforsecurity/german-authorities-take-down-darknet-marketplace-nemesis-market/CISA Ivanti Notice https://www.crn.com/news/security/2024/cisa-urges-patching-for-critical-ivanti-vulnerability?itc=refreshApple M-Series Vulnerability https://www.itpro.com/security/a-vulnerability-in-apple-m-series-chips-could-expose-encryption-keys-and-harm-performance-and-the-flaw-is-unpatchable
Deep Dive:
GitHub Python Supply Chain Attack https://checkmarx.com/blog/over-170k-users-affected-by-attack-using-fake-python-infrastructure/Loop DoS Summary https://cispa.de/en/loop-dosLoop DoS Advisory https://cispa.saarland/group/rossow/Loop-DoS

It's all about RCE this week on Technado! First up, in our Rapid Fire segment, the new "GhostRace" attack can bypass security checks to access sensitive info. In the ongoing WordPress saga, some miniOrange plugins have a critical flaw - including its malware scanner. Over 130k Fortinent boxes are still susceptible to a month old (already patched!) flaw, and AT&T suffered a breach exposing 70 million customers' data - or did they?
For fans of Esports and Apex Legends, an RCE flaw forced ALGS finals to shut down - but no one seems to know whose fault it really is. And in our Behind Bars segment, a Moldovan national will serve 42 months in a US prison for selling 350k+ stolen creds.
After a quick break to discuss Robocop (Sophie's latest movie assignment), it's time for a Deep Dive! Daniel takes us through a breakdown of an attack campaign designed to use Captchas, HTML, and other legitimate services to steal information. Finally, Fortra FileCatalyst has a flaw in its file uploading feature. Patch now!
Want to read further? Check out the articles Soph and Dan covered today:
https://www.darkreading.com/cyber-risk/ghostrace-speculative-execution-attack-cpu-os-vendorshttps://thehackernews.com/2024/03/wordpress-admins-urged-to-remove.htmlhttps://www.theregister.com/2024/03/18/more_than_133000_fortinet_appliances/https://www.bleepingcomputer.com/news/security/att-says-leaked-data-of-70-million-people-is-not-from-its-systems/https://www.bleepingcomputer.com/news/security/apex-legends-players-worried-about-rce-flaw-after-algs-hacks/https://thehackernews.com/2024/03/e-root-marketplace-admin-sentenced-to.htmlhttps://www.netskope.com/blog/from-delivery-to-execution-an-evasive-azorult-campaign-smuggled-through-google-siteshttps://labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/https://www.imdb.com/title/tt0093870/

Daniel and Sophie jump right into this week's episode with the return of favorite segments like D'oh, Behind Bars, and Who Got Pwned. They cover a VMWare patch so urgent, it's even being issued to EOL software. Roku had some trouble this week with angry customers and breached accounts (which, by the way, are barely worth 50 cents). We saw some sour news from the US government this week: CISA fell victim to a breach, and the FBI announced record losses to cybercrime in 2023. The Technado team covers all this and more in this week's Rapid Fire segment.
In today's Deep Dive, Daniel gives us a detailed look at MagnetGoblin (the threat behind Ivanti, Magento, and more hacks). We take a look at some of the threat group's favorite tools and tactics, as well as the 1-day vulnerabilities they've been exploiting recently. In a bonus Deep Dive, there's a Python Infostealer lurking in messaging services - and thanks to the researchers at Cybereason, we have the latest on each variant and how this attack works.
 

This week on Technado, Daniel and Sophie welcome special guest Mike Saunders of Red Siege!
In our new Rapid Fire segment, the team covers the top security news of the week with fast-paced commentary and hot takes. Kali Linux has a new release, NSO Group and Meta are still locked in a lawsuit, CISA’s issuing a new warning re: ransomware, and thousands of ChatGPT creds are up for sale on the black market. And as always, there are plenty of vulnerabilities to be found: the team talks a zero-day exploited by Lazarus, three severe vulnerabilities in a Zeek plugin, and the recent AMEX 3rd-party breach.
After a short break, it’s another new segment: Deep Dive! With Mike’s help, Dan and Soph get into the details of a new Linux variant of BIFROSE remote access trojan, featuring some visuals and demos courtesy of Daniel. Finally, the trio covers the nitty-gritty of TA577’s novel attack chain involving phishing to steal NTLM authentication hashes.